China Passes Long-Awaited Cyber Security Law

Ron Cheng
, ContributorRon Cheng is a partner at O'Melveny and a former federal prosecutor.Opinions expressed by Forbes Contributors are their own.

On, November 7, the Standing Committee of China’s legislature, the National People’s Congress (NPC), adopted the Cyber Security Law of 2016 (unofficial English translation on China Law Translate). The NPC released a first draft in July 2015, which elicited substantial comment from the Western business community. In June 2016, the NPC released a second draft with some changes, but relatively the same on the main issues identified in the comments. This blog commented on that draft. The final law adopted is substantially the same.

The law primarily creates security obligations for so-called “network operators” and “critical information infrastructure operators.” With general definitions as described below, this law could theoretically cover every organization or business with a linked computer system. There is also an obligation on “electronic information distribution service providers” and “application software download service providers” (neither of which is defined) to terminate service, employ removal measures, preserve data, and report, if they know their users install malicious programs in the information or software transmitted or transmit prohibited content (under unspecified “laws and administrative regulations”); otherwise, there is no further mention of duties for these types of service providers. (Art. 48).

Obligations of Network Operators

The definition of network operators is broad, as it encompasses owners, managers, and service providers of computer systems, terminals, or related equipment that follow certain rules or processes for information gathering, storage, transmission, exchange, and processing. (Art. 76). Could this apply to small businesses? Theoretically yes, although it is unclear that regulators will want information or demand compliance from every small business in China, much less be able to handle that workload.

For network operators, the law implements a “tiered system for network protection.” Although not defined, the system will require network operators to do things that include creation of internal security management systems and assignment of responsibility for network security, as well as adoption of various measures to protect network security and monitor security status (with logs to be preserved at least six months). (Art. 21).

The first draft elicited strong debate over the requirement that “critical network equipment and specialized network security products” (again, not defined) be subject to safety certification or a safety inspection. That provision remains (Art. 23), and Chinese regulators will be required to issue a catalog or index of covered equipment and products. Ideally this index will be released before the certification or safety inspection regime begins, although that is not likely.